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CLAIMS 

1. Method for security management in a node of a data 
processing network comprising a plurality of nodes, wherein each 
5 node maintains topology data representing the network, the method 
comprising: 

evaluating an event received by the node from a neighboring 
node in the network to determine if the event satisfies a 
predetermined security test; and, 
10 if the event fails the security test, modifying an entry 

^ associated with the neighboring node in the topology data 

y maintained by the node, and sending an alarm notification 

ill 

|j] indicative of the security failure to other nodes of the network. 

m 

« 

5s 

0 2, Method as claimed in claim 1, wherein the sending step 

rtj 

pj includes sending the alarm notification to all nodes of the 

%,l 

J[- network . 

. MT 
ire ?. 

ty 

20 3, Method as claimed in claim 1, wherein the evaluating of the 
event received from the neighboring node comprises: 

counting the number of occurrences of the event in a 
predetermined time interval; 

incrementing a rating of the neighboring node if the number 
25 of occurrences exceeds a predetermined event occurrence 
threshold; and, 

determining that the event fails the security test if the 
rating of the neighboring node exceeds a predetermined rating 
threshold. 

30 
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4. Method as claimed in claim 1, comprising: 

receiving an alarm notification generated by another node in 
the network, the received alarm notification being indicative of 
an event caused by a further node in the network; 
5 evaluating the alarm notification received generated by the 

other node to determine if the other node satisfies a 
predetermined trust test, and, 

evaluating the event indicated by the alarm notification if 
the other node passes the trust test to determine if the event 
10 indicated by the alarm notification satisfies the security test; 
£ and, 

O if the event fails the security test, modifying the topology 

ii 

|j| data associated with the event causing node in the topology data 

JU maintained by the node, and sending another alarm notification 

fl indicative of the security failure to other nodes of the network. 

FU 

pi 5. Method as claimed in claim 4, wherein the evaluating of the 
IS event indicated by the alarm notification comprises: 
fU counting the number of occurrences of the event indicated by 

20 the alarm notification in a predetermined time interval; 

incrementing a rating of the event causing node if the 

number of occurrences exceeds a predetermined event occurrence 

threshold; and, 

determining that the event fails the security test if the 
25 rating of the event causing node exceeds a predetermined rating 

threshold, 

6. Computer program product comprising a computer readable 
medium having embodied therein computer readable program code 
30 means for causing a processor of a node in a data processing 
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network comprising a plurality of nodes to perform a method for 
security management in the node, wherein each node maintains 
topology data representing the network, the method comprising: 

evaluating an event received by the node from a neighboring 
5 node in the network to determine if the event satisfies a 
predetermined security test; and, 

if the event fails the security test, modifying an entry 
associated with the neighboring node in the topology data 
maintained by the node, and sending an alarm notification 
JO indicative of the security failure to any other nodes of the 
y network, 

jg 7. Computer program product as claimed in claim 6, wherein the 
£j sending step includes sending the alarm notification to all nodes 
|5 in the network. 

fy 

LI 8. Computer program product as claimed in claim 6, wherein the 
|'j evaluating of the event received from the neighboring node 
comprises : 

20 counting the number of occurrences of the event in a 

predetermined time interval; 

incrementing a rating of the neighboring node if the number 
of occurrences exceeds a predetermined event occurrence 
threshold; and, 

25 determining that the event fails the security test if the 

rating of the neighboring node exceeds a predetermined rating 
threshold • 

9. Computer program product as claimed in claim 6, comprising: 
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receiving an alarm notification generated by another node in 
the network, the received alarm notification being indicative of 
an event caused by a further node in the network; 

evaluating the alarm notification generated by the other 
5 node to determine if the other node satisfies a predetermined 
trust test, and, 

evaluating the event indicated by the alarm notification if 
the other node passes the trust test to determine if the event 
indicated by the alarm notification satisfies the security test; 
10 and, 

© if the event indicated by the alarm notification fails the 

|| security test, modifying the topology data associated with the 

yf| 

J: event causing node in the topology data maintained by the node, 

s sr:;; 

and sending another alarm notification indicative of the security 
15 failure to other nodes of the network. 

CIJ 

10. Computer program product as claimed in claim 9, wherein the 
evaluating of the event indicated by the alarm notification 

ft I 

comprises : 

20 counting the number of occurrences of the event indicated by 

the alarm notification in a predetermined time interval; 

incrementing a rating of the event causing node if the 
number of occurrences exceeds a predetermined event occurrence 
threshold; and, 

25 determining that the event indicated by the alarm 

notification fails the security test if the rating of the event 
causing node exceeds a predetermined rating threshold. 

11. Apparatus for security management in a node of a data 

30 processing network comprising a plurality of nodes, wherein each 
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node maintains topology data representing the network, the 
apparatus comprising control logic configured to evaluate an 
event received by the node from a neighboring node in the network 
to determine if the event satisfies a predetermined security 
5 test, to modify an entry associated with the neighboring node in 
the topology data maintained by the node if the event fails the 
security test, and to send an alarm notification indicative of 
the security failure to other nodes in the network. 

10 12. Apparatus as claimed in claim 11, wherein the control logic 
is configured to send the alarm notification to all nodes of the 
C) network . 

III 13. Apparatus as claimed in claim 11, wherein the control logic 
fS is configured such that evaluating the event received from the 

Q neighboring node comprises counting the number of occurrences of 

fU 

fn the event in a predetermined time interval, incrementing a rating 

si 

.4 of the neighboring node if the number of occurrences exceeds a 

w predetermined event occurrence threshold, and, determining that 

20 the event fails the security test if the rating of the 
neighboring node exceeds a predetermined rating threshold. 

14. Apparatus as claimed in claim 11, wherein the control logic 
is configured: to receive an alarm notification generated by 

25 another node in the network, the received alarm notification 
being indicative of an event caused by a further node in the 
network; to evaluate the received alarm notification to determine 
if the other node satisfies a predetermined trust test; to 
evaluate the event indicated by the alarm notification if the 

30 other node passes the trust test to determine if the event 
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indicated by the alarm notification satisfies the security test; 
to modify the topology data associated with the event causing 
node in the topology data maintained by the node if the event 
indicated by the alarm notification fails the security test; and, 
5 to send another alarm notification indicative of the security 
failure to other nodes of the network, 

15. Apparatus as claimed in claim 14, wherein the control logic 
is configured such that evaluating of the event indicated by the 

10 alarm notification comprises: counting the number of occurrences 
p of the event indicated by the alarm notification in a 

predetermined time interval; incrementing a rating of the event 
kfjj causing node if the number of occurrences exceeds a predetermined 
yl event occurrence threshold; and, determining that the event 
15 indicated by the alarm notification fails the security test if 
JfJ the rating of the event causing node exceeds a predetermined 
HI rating threshold, 

■wit 

16. Apparatus as claimed in claim 11, further comprising a 
20 memory for storing the topology data. 

17. Data processing node for connection to a data processing 
network comprising a plurality of nodes, wherein each node 
maintains topology data representing the network, the data 

25 processing node comprising: a memory for storing the topology 
data; and, security management control logic connected to the 
memory and configured to evaluate an event received by the node 
from a neighboring node in the network to determine if the event 
satisfies a predetermined security test, to modify an entry 

30 associated with the neighboring node in the topology data stored 
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in the memory if the event fails the security test, and to send 
an alarm notification indicative of the security failure to other 
nodes of the network* 

5 18. Data processing node as claimed in claim 17, wherein the 
control logic is configured to send the alarm notification to all 
neighboring nodes. 

19. Data processing node as claimed in claim 17, wherein the 
K) control logic is configured such that evaluating the event 

0 received from the neighboring node comprises counting the number 
CO of occurrences of the event in a predetermined time interval, 

j*. incrementing a rating of the neighboring node if the number of 
£j occurrences exceeds a predetermined event occurrence threshold, 

15 and, determining that the event fails the security test if the 

CI 

fil rating of the neighboring node exceeds a predetermined rating 

fii 

^ threshold. 

1 y 

20. Data processing node as claimed in claim 17, wherein the 
20 control logic is configured: to receive an alarm notification 

generated by another node in the network, the received alarm 
notification being indicative of an event caused by a further 
node in the network; to evaluate the received alarm notification 
to determine if the other node satisfies a predetermined trust 

25 test; to evaluate the event indicated by the alarm notification 
if the other node passes the trust test to determine if the event 
indicated by the alarm notification satisfies the security test; 
to modify the topology data associated with the event causing 
node in the topology data stored in the memory if the event 

30 indicated by the alarm notification fails the security test; and, 
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to send another alarm notification indicative of the security 
failure to other nodes of the network. 

21. Data processing node as claimed in claim 20, wherein the 
5 control logic is configured such that evaluating of the event 
indicated by the alarm notification comprises: counting the 
number of occurrences of the event indicated by the alarm 
notification in a predetermined time interval; incrementing a 
rating of the event causing node if the number of occurrences 
10 exceeds a predetermined event occurrence threshold; and, 
gj determining that the event indicated by the alarm notification 
g fails the security test if the rating of the event causing node 

Mj exceeds a predetermined rating threshold. 

i ft 

\5 22. Data processing network comprising a plurality of data 

E processing nodes, wherein each node maintains topology data 

I repressing the network, each of the data processing nodes 

0 comprising: a memory for storing the topology data; and, security 

PJ 

management control logic connected to the memory and configured 
20 to evaluate an event received by the node from a neighboring node 
in the network to determine if the event satisfies a 
predetermined security test, to modify an entry associated with 
the neighboring node in the topology data stored in the memory if 
the event fails the security test, and to send an alarm 
25 notification indicative of the security failure to any other 
nodes of the network. 



23. Data processing network as claimed in claim 22, wherein the 
control logic is configured to send the alarm notification to all 
30 nodes of the network. 
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24. Data processing network as claimed in claim 22, wherein the 
control logic is configured such that evaluating the event 
received from the neighboring node comprises counting the number 
5 of occurrences of the event in a predetermined time interval, 
incrementing a rating of the neighboring node if the number of 
occurrences exceeds a predetermined event occurrence threshold, 
and, determining that the event fails the security test if the 
rating of the neighboring node exceeds a predetermined rating 
|Q threshold. 

.?r-: : 

Pi 25. Data processing network as claimed in claim 22, wherein the 

control logic is configured: to receive an alarm notification 
Si generated by another node in the network, the received alarm 
|5 notification being indicative of an event caused by a further 

tU node in the network; to evaluate the received alarm notification 

T4 

%l to determine if the other node satisfies a predetermined trust 

m test; to evaluate the event indicated by the alarm notification 
if the other node passes the trust test to determine if the event 

20 indicated by the alarm notification satisfies the security test; 
modifying the topology data associated with the event causing 
node in the topology data stored in the memory if the event 
indicated by the alarm notification fails the security test; and, 
to send another alarm notification indicative of the security 

25 failure to other nodes of the network. 



26. Data processing node as claimed in claim 25, wherein the 
control logic is configured such that evaluating of the event 
indicated by the alarm notification comprises: counting the 
30 number of occurrences of the event indicated by the alarm 
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notification in a predetermined time interval; incrementing a 
rating of the event causing node if the number of occurrences 
exceeds a predetermined event occurrence threshold; and, 
determining that the event indicated by the alarm notification 
fails the security test if the rating of the event causing node 
exceeds a predetermined rating threshold. 



